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1 . The handling of “classified national security information” spillage is a 
Government- wide challenge. Current national policy does not provide guidance for 
handling such incidents. With the continued and ever increasing interconnection of 
information systems (ISs), the extent and risk of classified information spillage increase 
dramatically. 

2. This policy provides a framework for the consistent handling of spillage of 
classified information onto an unclassified IS, or higher- level classified information onto 
a lower level classified IS, to include non-government systems. 

3. Additional copies of this policy may be obtained from the Secretariat or the 
CNSS Website - www.cnss.gov . 
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NATIONAL POLICY 

ON 

CLASSIFIED INFORMATION SPILLAGE 



SECTION I - SCOPE 

1. This policy applies to the spillage of classified national security information^ 
on any IS, be it government or non-government systems. It provides a framework for the 
consistent handling of the spillage of classified national security information onto an 
unclassified IS, or higher-level classified national security information onto a lower level 
classified IS or onto an IS not accredited to the appropriate level. 

2. Nothing in this policy shall alter or supersede the existing authorities of the 
Director of National Intelligence (DNI). 



SECTION II - REFERENCES 

3. References are listed in ANNEX A. 



SECTION III - DEFINITIONS 

4. Definitions in Reference f. apply to this policy; additional terms are defined in 
ANNEX B. 



SECTION IV - POLICY 

5. All government departments, agencies, and their contractors (consistent with 
Reference b.) that own or operate IS used to collect, generate, process, store, display, or 
transmit/receive national security information shall establish policies and procedures for 
handling classified information spillage. Reference e. applies to all contractors. 
Information concerning a spillage incident shall be protected from disclosure consistent 
with References a. through d. (and as prescribed in the process below). These policies 
and procedures shall ensure that all classified information spillage, either onto an 
unclassified IS, or to an IS with a lower level of classification, or onto an IS not 
accredited to the appropriate level, is immediately: 



* Classified national security information is defined in Reference a. 
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a. Reported to the appropriate authorities. These authorities shall minimally 
include the information owner, the Information Assurance Manager (IAM)/Information 
System Security Manager (ISSM), the Activity Security Manager, and the responsible 
incident response center in accordance with [provisions of] Reference c. 

b. Isolated and contained to minimize damage and to preserve evidence that 
may be required for damage assessment, risk assessment, law enforcement, or counter 
intelligence purposes. All affected media will be considered classified at the same level 
as the spilled information until government departments, agencies, and their contractors 
have executed their process for information spillage. 

c. Verified by the information owner, who shall also ensure an assessment is 
conducted, as appropriate, in accordance with References a. and d. 

6. Decisions regarding mitigation procedures, including disposition of affected 
media (i.e., sanitization, physical removal, or destruction), shall realistically consider the 
potential harm that may result from compromise of spilled information. 



SECTION V - RESPONSIBILITIES 

7. Heads of Federal Departments and Agencies shall: 

a. Ensure compliance with the requirements of this policy. 

b. Ensure resources are available to implement this policy. 

c. Incorporate the content of this policy into user training and awareness 

programs. 



Enel: 

ANNEX A REEERENCES 
ANNEX B DEEINTIONS 



2 




Committee on National Security Systems 



ANNEX A 
REFERENCES 



a. Executive Order 12958, “Classified National Security Information,” 28 
March 2003, as amended. 

b. Executive Order 12829, National Industrial Security Program, 16 
September 1993, as amended. 

c. Public Eaw 107-347, E-Government Act of 2002, Title III, Eederal 
Information Security Management Act of 2002, 17 December 2002. 

d. CER Part 2001, “Classified National Security Information,” (Information 
Security Oversight Office Directive No. 1), 22 September 2003. 

e. Department of Defense 5220.22-M, “National Industrial Security Program 
Operating Manual,” 28 Eebruary 2006. ^ 

f. CNSS Instruction No. 4009, “National Information Assurance (lA) 
Glossary,” May 2003 or its successor. 
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Only applies to U.S. Government Contractors with classified contracts. 



3 




Committee on National Security Systems 



ANNEX B 
DEFINTIONS 



Terms used in this policy are defined in Reference f. with the exception of the following: 



ACTIVITY SECURITY MANAGER: Individual specifically designated and responsible 
for ensuring that classified information is properly handled during its entire lifecycle. 

This includes ensuring it is appropriately stored, processed, disseminated, disposed of, 
and accounted for, as well as providing guidance on the handling of security incidents to 
minimize adverse effects and ensure the appropriate corrective action is taken. 

DESTRUCTION: Obliteration or disintegration by physically destroying the media 

(e.g., shredding, degaussing, smashing, grinding, melting. . .) so that the media cannot be 
reused. 
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